1. Field of the Invention
The present invention generally relates to techniques for controlling and limiting the flow of identification information in a commercial transaction, and more particularly to a method and apparatus which enables customers to remotely order goods from a merchant and receive the goods without revealing the customer""s identity or address to the merchant.
2. Background Description
In classical retail commerce, the customer could go to a store, pay cash, and carry out the purchased goods without disclosing identification information such as name or address, in short, while totally preserving customer anonymity.
Electronic commerce now allows customers to make purchases while at home or other convenient location from merchants located in a variety of locations, but often at the price of losing customer anonymity. Although remote commerce is now made easy by the World Wide Web, a huge number of potential customers do not participate in this commerce because they are afraid that their participation would mean that they would be included in databases maintained and marketed by the merchant for a variety of commercial purposes without the knowledge or consent of the customer. That is to say, the so-called xe2x80x9cbig brotherxe2x80x9d and invasion of privacy syndromes worry more and more potential electronic business users, thus limiting the expansion of electronic and other forms of remote businesses.
It is thus important to have means to sell goods through the Internet without invading the privacy of the customers and even better preserving their anonymity.
Similar problems have been resolved where information, data (and, more generally, material which can be transferred in electronic form on the Internet) is purchased. One example is given by the NetBill Security and Transaction Protocol by B. Cox, J. D. Tygar, and M. Sirbu which can be obtained on the Internet.
However, these solutions do not apply where we are concerned with traditional goods which have to be shipped to the customer. Besides customer anonymity, there is a need for making sure that all services and goods are paid for in a secure way and orders can be confirmed, without much alteration to traditional distribution channels which have proven efficient and with which most merchants feel comfortable.
The present invention presents a method and apparatus to solve this problem, and more generally the problem of preserving anonymity in all sorts of remote commerce, as long as the connection line between the customer and the merchant allows the transfer of a few numbers, letters, or other symbols: thus, besides the Internet, the invention also applies to phone and mail orders.
It is therefore an object of the present invention to provide mechanisms for remote commercial transactions, such that customer identification information need not be disclosed to the merchant nor to anyone (other than the customer) who knows what is bought by the customer.
It is a further object of the invention to be operable with existing commercial distribution channels, with which merchants are already familiar.
The main principle of the invention can be understood as a two stages process.
A) In the first stage, protocols are established among prospective customers, payment agencies, merchants, clearing houses, and delivery companies which guarantee that they will protect the privacy of the transaction, which is in any case already protected by the fact that no party to the protocol has complete information about the order except the customer, i.e. except for the customer, nobody knows both the identity of the customer and what is bought in the transaction. The essence of these protocols will be evident from the description given below of how the global system works in the second stage in the preferred embodiments. Such protocols will be called Anonymous Customer Protocols (ACP).
Axe2x80x2) Alternatively, in the first stage, protocols are established among prospective customers, payment agencies, merchants, printer service companies, and delivery companies which guarantee they will protect the privacy of the transaction, which is in any case already protected by the fact that no party to the protocol has complete information about the order except the customer. Again, the essence of these protocols will be evident from the description given below of how the global system works in the second stage in the preferred embodiments. The alternate solution does not use clearing houses but uses encryption. A private key/public key pair and a secret encoding key will be used in this invention. The use of private key/public key pairs and the use of secret encoding keys are now well known: a description of these techniques with directions on how to use several of their implementations can be found in xe2x80x9cHandbook of applied Cryptography,xe2x80x9d by Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, CRC Press, 1997 and xe2x80x9cCryptography: Theory and Practice,xe2x80x9d by D. R. Stinson, CRC Press, 1995.
B) In the second stage, transactions and the transfers of goods take place which involve all parties we have mentioned in A) above. Two clearing houses, one dealing with data, the other with goods, break all chains so that an employee of a bank or of one of these clearing houses has to collaborate with some other party for the link between the customer and the merchants to be accessible. Even that is impossible if the customer takes some extra steps such as not using her/his bank or credit card accounts and using a remote delivery address.
Bxe2x80x2) Alternatively, in the second stage, transactions and the transfers of goods take place as follows: the customer gives the order, some code numbers and the identity of the chosen payment agency to the merchant. The merchant communicates an order number to the customer, to the payment agency (which authenticates the numbers furnished by the customer and agrees to pay the merchant), and to its warehouse and/or manufacturing services. The customer has the option to request that the order be delivered to an alternate address in which case the payment company needs to contact the customer with the order number and obtain the shipping address. The payment company might also send the Zip code of the customer to the merchant for determining shipping and handling charges. The package(s) is prepared by the merchant while the payment agency commands the printer to print an address label that the merchant can associate with the order (using the public key) but cannot read otherwise (except possibly for very vague data which cannot identify the customer better that revealing her/his Zip code). Once the label is attached by the merchant to the package, it is handed to the delivery company which acknowledges receipt, and rips off some foil covering the readable address in Option 1, or in the case of Option 2 reads some code, decodes it using the secret encoding key to obtain a readable address which is then printed. The package and label can be such that the local delivery agent cannot identify the merchant. The package and label can also be such that the delivery company cannot know the precise content of the package.
In case the customer wants more anonymity, the delivery can also be made to the payment agency, some post office box, or a separate agent: such extreme cases lead in fact to easy solutions to the anonymity concern because the lack of access of the merchant to the printer is no longer required. However, since such solutions involve considerably more time loss for the customer, they are less acceptable than the present invention as a general solution to the anonymity protection problem.